Our work moving hospital data centers and cybersecurity remediation taught us something that’s easy to overlook until you’re in the middle of it: Standing up servers isn’t the hard part — having a run-book that ensures patient care continuity, is. That experience forced us to understand how applications, data, and clinical workflows fit together under pressure.
Now, with the proposed changes to the HIPAA Security Rule, healthcare administrators are asking how to turn that kind of insight into a sustainable program. The new HIPAA guidance makes one thing clear: disaster recovery (DR) can’t just be about restoring systems. It has to be about preserving care.
Most DR plans still center around technology and infrastructure. They outline how to restore servers, storage, and connectivity. But that’s not enough. Clinical workflows depend on whole systems coming back in a specific order.
When they don’t, the electronic care process breaks down. The EMR may load, but orders can’t be placed. Imaging may come online, but results don’t route. Pharmacy systems might start up, but can’t pull the information they need to fill a prescription. And staff end up spending critical time putting out fires instead of focusing on patients.
Most technical teams struggle to answer a basic question:
“When these ten servers are down, what parts of patient care are affected? What’s downstream? Who owns continuity while they’re out?“
That’s not a trick question. It’s where patient care continuity and disaster recovery planning should begin — and where it usually breaks down.
If you don’t know how servers connect to applications, how those applications support care, what depends on what, and who steps in when things fail, you’re not planning for recovery and continuity. You’re planning to restart equipment.
And if the workflows don’t come back, neither does care.
The Disconnect: Systems Come Up. Workflows Don’t.
IT teams focus on recovering technical services. Clinical teams follow downtime protocols and paper-based processes. But the two groups don’t always plan together, and in most organizations, they rarely test together.
That leads to confusion during outages. One team thinks recovery is complete. The other is still waiting for basic functions to work. Interfaces silently fail. Order flows don’t resume. People assume someone else is handling it.
The 2025 HIPAA changes aim to fix this. Recovery plans now need to reflect how care is actually delivered — not just how systems are hosted.
How to Make BCDR Match How Care Actually Happens
Business Continuity Disaster Recovery (BCDR) refers to the processes and strategies that organizations implement to ensure they can continue operations during and after a disaster. It combines business continuity, which focuses on maintaining essential functions, and disaster recovery, which deals with restoring IT systems and data after an incident.
1. Start with a real workflow.
Pick one that matters: ED triage to imaging, med administration in ICU, or surgical discharge. Map out the people, systems, and steps involved.
2. Let clinical risk set recovery priorities.
What’s needed to keep patients safe should come first. Other systems — even if technically important — may need to wait.
3. Involve all sides from the start.
Bring together IT, cybersecurity, clinical operations, compliance, and application teams. No group can plan for recovery alone.
4. Run tests that follow the full path.
It’s not enough to confirm the EMR is online. You need to walk through the process. Can staff place orders? Are results available? Does the workflow hold?
5. Monitor the whole flow, not just uptime.
Use telemetry, test orders, or simulated users to confirm systems are working as expected. Being online isn’t the same as being completely usable.
Know Where to Compromise
In most hospitals, you won’t bring everything back at once. You’ll be working with constraints: limited staff, partial infrastructure, tight windows. It’s not fair — but it’s the reality care teams have to operate within.
That’s why priorities matter. Just as clinicians triage patients, BCDR teams need to triage workflows.
Some functions — like elective scheduling or non-urgent outpatient processes — may need to stay offline longer or operate on paper. That makes space for pharmacy, imaging, lab, and EMR systems to recover in the right order for critical care to continue.
These aren’t easy decisions. But they need to be discussed, documented, and tested. They can’t be left to chance.
Test the Plan by Trying to Break It
Plans don’t become resilient by writing them down. They become resilient through usage — especially under stress.
That’s where controlled failure — chaos engineering — comes in. It’s not about creating disruption. It’s about safely simulating it so teams can see where things break before it happens for real.
- What happens if an interface fails between lab and EMR?
- What if pharmacy can’t access CPOE data for 30 minutes? An hour? A day?
- What if imaging results don’t show up in PACS?
These aren’t theoretical risks. They’ve happened — and with cyber attacks they are happening more often and lasting longer.
The real difference is whether your team has worked through it before and knows how to respond — or whether they’re figuring it out in the moment.
These exercises expose the gaps that paperwork and tabletops miss. They give your team a chance to make mistakes when the stakes are low — and be ready when they’re not.
For Hospital and Healthcare Administrators: Where to Begin
If you’re responsible for HIPAA compliance or operational readiness, here’s a practical starting point:
- Choose one patient-critical workflow. Something real. Something impactful.
- Build a small cross-functional team. Clinical, IT, compliance, and app owners.
- Map what it takes to make that workflow work. Systems, interfaces, dependencies, sequencing.
- Test it. Start with a tabletop. Then simulate an outage and see how the team responds.
- Document the decisions. What gets recovered first? What can wait? Who owns what?
- Iterate on it. Patient care continuity is not a one and done. It will take a couple of iterations to gain operational readiness and clinical confidence. Then move into continual improvement.
What HIPAA Is Really Asking For
The new proposed rules don’t demand perfect recovery. They expect thoughtful preparation based on how your organization actually works.
That means testing assumptions. Making tradeoffs visible. And building recovery plans around care delivery — not just server uptime.
The question isn’t, “Are our systems protected?”
It’s, “Can we keep taking care of people when they’re not?”
That’s the shift. And it’s the one that matters.
Want to see it in action? Explore how Main Line Health’s CSO used chaos engineering to improve patient care.
Last Word on Hospital Administrators’ Struggle With HIPAA Security Compliance
The reason hospital administrators are desperately looking for a holistic patient safety approach is because cybersecurity and technology teams don’t always think “patient first”. This is especially true when the proposed HIPAA Security Rule reads like a technical spec sheet:
- Technology asset inventory and network map
- Risk analysis
- Contingency planning and security incident response
- Security Rule compliance audits
- Reviews and tests of security measures
- Vulnerability scans
- Penetration tests
- Encryption
- Multi-factor authentication
- Network segmentation
- Anti-malware protection
- Technical safeguard for portable devices
- Patch management
- Unnecessary software removal
- Disable unused network ports
- Data backups
- Business associate cybersecurity
HIPAA Security Guidance from NIST
the National Institute of Standards and Technology, a part of the US Department of Commerce has invested significant resources to assist healthcare organizations attain compliance with the HIPAA security rule. Explore NIST Toolbox
Beyond HIPAA: What’s Changing in Healthcare Compliance
While the future of the HIPAA Security Rule remains uncertain, other federal compliance initiatives are moving forward. A key example is CMS’s FY26 payment rule, which updates requirements for hospitals in the Medicare Promoting Interoperability Program.
Starting in 2026, hospitals and critical access hospitals will need to attest to:
- A Security Risk Analysis (SRA) – an evaluation of potential risks and vulnerabilities to ePHI.
- A new Security Risk Management (SRM) plan – a distinct attestation focused on how the hospital actively mitigates identified risks.
CMS Expands SAFER Guide Requirement
Beginning in 2026, hospitals must attest that they have completed a self-assessment using all eight updated SAFER Guides. These guides address critical areas such as system configuration, contingency planning, and test result management.
While many health systems already use SAFER Guides voluntarily, CMS’s mandate adds a new layer of compliance complexity. The agency’s goal is clear: strengthen health IT safety and reduce patient harm linked to EHR use.
The convergence of overlapping rules — from CMS, OCR, and others — has created a fragmented regulatory environment. It’s why organizations like CHIME continue to advocate for a more streamlined, coordinated cybersecurity framework.
